[0/3] Add stack protector

Message ID	20241122210719.2572072-1-volodymyr_babchuk@epam.com (mailing list archive)
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com> To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>, Andrew Cooper <andrew.cooper3@citrix.com>, Jan Beulich <jbeulich@suse.com>, Julien Grall <julien@xen.org>, Stefano Stabellini <sstabellini@kernel.org>, Anthony PERARD <anthony.perard@vates.tech>, Samuel Thibault <samuel.thibault@ens-lyon.org>, =?iso-8859-1?q?Roger_Pau_Mo?= =?iso-8859-1?q?nn=E9?= <roger.pau@citrix.com>, Bertrand Marquis <bertrand.marquis@arm.com>, Michal Orzel <michal.orzel@amd.com>, Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>, Alistair Francis <alistair.francis@wdc.com>, Bob Eshleman <bobbyeshleman@gmail.com>, Connor Davis <connojdavis@gmail.com>, Oleksii Kurochko <oleksii.kurochko@gmail.com> Subject: [PATCH 0/3] Add stack protector Thread-Topic: [PATCH 0/3] Add stack protector Thread-Index: AQHbPSKJvmf4+DJbxEu3vjqcFnhN7Q== Date: Fri, 22 Nov 2024 21:07:29 +0000 Message-ID: <20241122210719.2572072-1-volodymyr_babchuk@epam.com> Accept-Language: en-US Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0
Series	Add stack protector \| expand [0/3] Add stack protector [1/3] xen: common: add ability to enable stack protector [2/3] xen: arm: enable stack protector feature [3/3] xen: riscv: enable stack protector feature

Message ID

20241122210719.2572072-1-volodymyr_babchuk@epam.com (mailing list archive)

Headers

Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>,
 Andrew Cooper <andrew.cooper3@citrix.com>, Jan Beulich <jbeulich@suse.com>,
 Julien Grall <julien@xen.org>, Stefano Stabellini <sstabellini@kernel.org>,
 Anthony PERARD <anthony.perard@vates.tech>,
 Samuel Thibault <samuel.thibault@ens-lyon.org>, =?iso-8859-1?q?Roger_Pau_Mo?=
	=?iso-8859-1?q?nn=E9?= <roger.pau@citrix.com>,
 Bertrand Marquis <bertrand.marquis@arm.com>,
 Michal Orzel <michal.orzel@amd.com>,
 Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Bob Eshleman <bobbyeshleman@gmail.com>, Connor Davis <connojdavis@gmail.com>,
 Oleksii Kurochko <oleksii.kurochko@gmail.com>
Subject: [PATCH 0/3] Add stack protector
Thread-Topic: [PATCH 0/3] Add stack protector
Thread-Index: AQHbPSKJvmf4+DJbxEu3vjqcFnhN7Q==
Date: Fri, 22 Nov 2024 21:07:29 +0000
Message-ID: <20241122210719.2572072-1-volodymyr_babchuk@epam.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?VTFR4i6muhibFOShnM6jTUA?=
	=?iso-8859-1?q?+QHOXGmUOYYbnGZ/jZudnDJl6Ffa6T9Vi81NC0aTf94Ot3xesgdZc7imHscT?=
	=?iso-8859-1?q?fM5VtI/kkLVyl0zmOroLwuXmMLcRAG4lIKttnxMZ7E3EqFEzrgZEWFpwrGrL?=
	=?iso-8859-1?q?yJv8dZC04jXGvChBSDfj20D+a807TLRsZFSDGP2qtTD1uVTNlxspmszqoxRu?=
	=?iso-8859-1?q?WPkYTI11WZ8xPIo844riZjR1FnWCIG/o0jD6+6PJhm2hmeke63jE6YUOeoX5?=
	=?iso-8859-1?q?Ybh/wOcIvUGZrPlBOye0STZuL0Ve5EH78OraRWgpMS48xr/f/FMNimlrNCxk?=
	=?iso-8859-1?q?P381FeRmNbs19h2lNE/IH6qNL3f1vKs6j5oXyGg2GF0d7iPa4e5VAlwPbHqW?=
	=?iso-8859-1?q?T5xYRh3vD15WdadnP2zsLnfM+/1fHv829Ev79SUMkGwPqSzooi86kIiCxYYC?=
	=?iso-8859-1?q?s0ZBzCrDQ53mV2J41m9BWtuTjn4wVjIIqJZljQjA83+B1mtqGmxunqv5R0I8?=
	=?iso-8859-1?q?Gw6mBILVlJEYuwE7Weu1jIQT4mg1ZoQwcKd9M+ombHnCiDROaomXWA+q6Jkm?=
	=?iso-8859-1?q?7Q5pXK6WuYFast09pE+MEIJ72twI7atFpCAuTSrhJnhZaA7BCwj+YWEXJVRm?=
	=?iso-8859-1?q?XbAFEWqFXFDzSkBRTUuKSnUbzMtRn/Z1wew0nmTaSRLiFUBT+C/SXzPz6Cl/?=
	=?iso-8859-1?q?+l3AnLC4x5YvPwv3qKffIx9P3cLI+yQrcH3+kpHPnmk9+QRdp2UswO31V2qd?=
	=?iso-8859-1?q?nmVa4oY3Keto2/oVSQP+mVxIk8wLydm5T6L25Em0owdDDJwh2X/LV4in+Eyq?=
	=?iso-8859-1?q?0YXvczf2yv2Di2cvI1t1vLFO9QI1qoAYYafF5xiBh/ppzc322G5h3y2rV7NU?=
	=?iso-8859-1?q?3KSBTVuPcmcFyr3n3kYJ9d2IIK6aEDIo/ETa4rGWLuIJRJCSapJ2ILPrwSrw?=
	=?iso-8859-1?q?KrsmCcpKKER/a8oYF3uDkXbEKbwODcIcWbsA9+xc5hP8sdHWqDjDcHV2eZD6?=
	=?iso-8859-1?q?5aMq4e4cyBfRXzk9U8ekdXauOJ4rWhly3IrCLCedVJ76YXFoP4PaWXWCrVz/?=
	=?iso-8859-1?q?8st97aA7rRbxErMxcvg41/PuQAP09F5Tr93rsPVEDDZj87UHJg/zr5Cg9f83?=
	=?iso-8859-1?q?+2rtsb5Y+5DphqGi6GFyt0SB9SZB0lkacMMpeJcsULSLJX3dFv/cty+plCQ4?=
	=?iso-8859-1?q?F8KbsjgRmYvM5XDRaZn5XPfckepthrDOJzPny/vTIY1MRVWD9UB2xj88jZPb?=
	=?iso-8859-1?q?Oh4Wanhg1N3FuKN28m46Lao4xaqABatRldFZQ1yj95v3pPxJ33Cnwjebex6h?=
	=?iso-8859-1?q?vqa2vjjoH/M3snck4JBCyLJAJ93EUmzAhUKovBlFT91dRE9L4wT/tup2LcS0?=
	=?iso-8859-1?q?tn526y6WqpS4BdhTVknHEfMhxajM/4lB2e2mlMgAcMIBtSkjk3Fb2/BPXQ+q?=
	=?iso-8859-1?q?OVfc/izUJSD/ME7l3HbqA6bxwm8W3drTplf5DeoCT2Rkmk21Muwc6TQWUdAu?=
	=?iso-8859-1?q?QABCTTZgf6IrcNKbg3zMv3BTvNplO2z3wA36WcqU6uh75P23q4W6q1Ye+Q4N?=
	=?iso-8859-1?q?11Iv2rGHPc3UV7wuO9N/IycSOIRMX/O9okggAomuF+8xCnLU4CAs8m+TDmhR?=
	=?iso-8859-1?q?m9K/tQcKr9T6E//TW7Wvo6xtlDyGi0NnpIvCkPg=3D=3D?=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: epam.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1PR03MB10456.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 0ea95a58-1046-4d54-20ce-08dd0b39ac7c
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2024 21:07:29.1312
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b41b72d0-4e9f-4c26-8a69-f949f367c91d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 h/Mnn3ykmu5Rlc3cWISliAFH7S+t9DRgycId1yKHpgssN2f9ujHq39G0iBXmrYmCkg7fDlujskuPLf51tHIlPzCrgtmZnPs4VHMKzLmDxV8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR03MB9738

Series

Add stack protector | expand

Message

Volodymyr Babchuk Nov. 22, 2024, 9:07 p.m. UTC

Both GCC and Clang support -fstack-protector feature, which add stack
canaries to functions where stack corruption is possible. This series
makes possible to use this feature in Xen. I tested this on ARM64 and
it is working as intended. Tested both with GCC and Clang.

My aim was to enable it on x86 also, but it appears that on x86 GCC
stores canary value in TLS, exactly at fs:40, which is hardcoded. As
Xen does not setup fs register for itself, any attempt to enable stack
protector leads to paging abort.

I also tested build-ability for RISCV platform, but didn't tested that
it does not break anything, so we will need RISCV maintainer's
approval.

Volodymyr Babchuk (3):
  xen: common: add ability to enable stack protector
  xen: arm: enable stack protector feature
  xen: riscv: enable stack protector feature

 Config.mk                            |  2 +-
 stubdom/Makefile                     |  2 ++
 tools/firmware/Rules.mk              |  2 ++
 tools/tests/x86_emulator/testcase.mk |  2 ++
 xen/Makefile                         |  6 ++++++
 xen/arch/arm/Kconfig                 |  1 +
 xen/arch/arm/setup.c                 |  3 +++
 xen/arch/riscv/Kconfig               |  1 +
 xen/arch/riscv/setup.c               |  3 +++
 xen/common/Kconfig                   | 13 ++++++++++++
 xen/common/Makefile                  |  1 +
 xen/common/stack_protector.c         | 16 +++++++++++++++
 xen/include/xen/stack_protector.h    | 30 ++++++++++++++++++++++++++++
 13 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 xen/common/stack_protector.c
 create mode 100644 xen/include/xen/stack_protector.h

Comments

Andrew Cooper Nov. 23, 2024, 7:41 a.m. UTC | #1

On 22/11/2024 9:07 pm, Volodymyr Babchuk wrote:
> Both GCC and Clang support -fstack-protector feature, which add stack
> canaries to functions where stack corruption is possible. This series
> makes possible to use this feature in Xen. I tested this on ARM64 and
> it is working as intended. Tested both with GCC and Clang.
>
> My aim was to enable it on x86 also, but it appears that on x86 GCC
> stores canary value in TLS, exactly at fs:40, which is hardcoded. As
> Xen does not setup fs register for itself, any attempt to enable stack
> protector leads to paging abort.

It's rather worse than a #PF, if a devious PV guest decides to map
memory at 0.

There's a long and complicated history with stack-protector on x86.

It is %fs:40 by default, but this becomes %gs:40 with -mcmodel=kernel
(which Xen doesn't use, but is necessary to know if anyone wants to look
at how Linux does this.)

Xen on x86 uses neither %fs nor %gs for per-cpu variables, because PV
guests do.  This happens to have saved us from a number of privilege
escalation corner cases that exist in the x86 architecture.  I'm very
reluctant to open ourselves up to such problems just to support
stack-protector.

With GCC 8.1, we get -mstack-protector-{guard,reg,offset} to fine-tune
things a whole lot more.  I am not sure when these got into Clang.

In particular, -mstack-protector-guard=global lets us have a scheme that
seems to be the same as the ARM/RISCV, which is probably good enough to
start with, although it involves restarting the toolchain debate and is
probably not something you want to do in this series.

See
https://lore.kernel.org/lkml/20241105155801.1779119-1-brgerst@gmail.com/T/#u
for most of the gory details.

> I also tested build-ability for RISCV platform, but didn't tested that
> it does not break anything, so we will need RISCV maintainer's
> approval.

There's a RISC-V smoke test in gitlab CI, but you can run it locally too.

~Andrew